Skip to content

Cloud Strategy & Architecture Posts

Authentication and Authorization with Shibboleth and LDAP

Previously, I tried setting up a more efficient Shibboleth Attribute Authority - one where I could query for a specific attribute value for a specific attribute for a specific user (e.g. does jane@itlab.stanford.edu have an experimentId attribute with the value 2?). While you can add attribute values to the attribute elements in a SimpleAggregation AttributeResolver query, the IdP rejects the query.

Another Shib-based option would be to develop a plugin that can create attributes from server environment variables (like REMOTE_URI). One could then use the Template and Tranform Attribute Resolvers to create a new NameID attribute for the SimpleAggregation query (something like eppn:https://SERVER_NAME/REMOTE_URI). Then an Attribute Authority could be configured to split the NameID into multiple attributes and use those for a SQL query or LDAP lookup.

That seemed like a bunch of work, so instead I took a look at using Apache’s mod_authnz_ldap on the SP instead. In this scenario, when an unauthenticated user attempts to access a set of experiment results, they are first sent to an IdP (via the embedded discovery service) to authenticate, then mod_authnz_ldap queries a remote LDAP server for attributes (group membership seems to be the easiest model) and determines whether the user has access.

Comments closed

Google I/O 2012

Shiny Toys

Since it was Google I/O, every attendee received some shiny toys: a Nexus phone and Nexus 7 tablet, a Nexus Q streaming media player, and a Chromebox (the ChromeOS version of a Mac Mini).

The Nexus Q doesn't really have any impact on IT, and it's an odd system: it costs over 3 times as much as other streaming appliances, like Roku and Apple TV, but at this time, can only stream movies, TV and music from Google Play - no Netflix, Amazon Video or Pandora (i.e. all the services most people already use), and obviously no iTunes.

Unlike the Q, phone and tablet are actually useful. Not only do they both run the latest version of Android (4.1 aka JellyBean - preinstalled on the tablet, and upgraded over the air on the phone a day after I/O) - they run "pure" Android - no manufacturer or carrier software is installed on the device. The Nexus phone is unlocked, and can be used on any GSM carrier (although the pay-as-you-go plans available in the US aren't that great, and because I have a discounted AT&T contract through Stanford, I'd need to sign up for 2 year plan on the phone). Both devices were easy to setup with Stanford Email and Calendar (not surprising since I've already migrated to Google), and Google Drive on Android has support for multiple accounts (unlike the iOS client).

One of the big announcements was that Chrome is now the standard browser in Android 4.1, and that Chrome was being released for iOS too (the iPhone and iPad version were released later on the first day of I/O). All the mobile versions of Chrome support Chrome Sync, which allows you to sync bookmarks, open tabs, auto-fill information (and optionally passwords) to one of your Google Accounts. Obviously this has privacy issues, but being able to browse the list of open tabs in Chrome on your laptop from your phone or tablet is very convenient.

Comments closed

Architecting with AWS Training

I recently took the Architecting with Amazon Web Services training class. The class is taught by AWS Solutions Architects, rather than by dedicated training staff, so the instructors have real, practical experience with helping customers use AWS; the SAs use that experience, and feedback from each class, to continually improve the class.

The class covered most of the services available via AWS, although it was pretty light on Elastic Beanstalk, Amazon's new Java and PHP Platform as a Service (PaaS) offering. Each day was made up of a mix of presentations covering the various services, group paper / whiteboard architecture exercises and discussions, and hands on exercises with various AWS components and tools.

Comments closed

Breaking Development, April 2012

I went to my third (of three) Breaking Development Conference in April - this time it was in a biodome in Orlando, FL.

Following on from the themes of the previous conferences, a large part of the conference was focused on responsive web design (RWD). RWD was proposed as a widely applicable solution at the first BDConf, and reinforced at the second by the people behind the Boston Globe's RWD redesign. This time, RWD was refined (using ems rather than pixels for layout), design workflows were discussed, and there was a tutorial on how to build a responsive website, starting with both a traditional site, and a mobile first design. Other topics were covered, including device APIs for web apps, and the future browser and device landscape - even TVs!

While I took notes, Brad Frost did an excellent job of summarizing each session, so I'm going to link to his blog; Jenifer Hanen also has notes on all the sessions.

Comments closed

IIW XI

The 11th unconference formerly known as the Internet Identity Workshop (and now known simply as IIW) was held at the Computer History Museum, Nov 2-4.…

Comments closed